Comment by theshrike79
3 days ago
We have a legal contract with Anthropic
OpenClaw and OpenCode are open source projects with zero warranty and nobody to sue if they have a npm Trojan in them
3 days ago
We have a legal contract with Anthropic
OpenClaw and OpenCode are open source projects with zero warranty and nobody to sue if they have a npm Trojan in them
> OpenClaw and OpenCode are open source projects with zero warranty and nobody to sue if they have a npm Trojan in them
When has any technology company been sued for pushing accidental malware in their updates?
The reality is that you have never had anyone to sue.
Sure you did. But 99% of the time, you get the benefit of things that come with ability to sue - such as the vendor having a support team that's actually incentivized to respond to reports and deal with them quickly.
I agree with parent, "having a contract" gives you nothing tangible. Big tech providers get hacked quite commonly nowadays, some with glaringly embarrassing vulnerabilities like "the admin password was admin". All your data leaks, and the most you get from them going "sorry".
Having the ability to sue, and having the resources to sue is also not the same.
The amount of times I had to deal with support cases (as the reporter, not the handler) where I felt like the support person was actually incentivized to solve my problem vs just following the script is astonishingly low. Even with paid support. Paid support just means you get to follow their script faster.
So you don’t use any other open source software at all then?
The risk with OpenClaw et al isn't that the software itself is compromised. The risk is that what it does is fundamentally insecure and Claude Code isn't any better
That’s not the issue, the issue is that people are using their subscriptions (intended only for use with Anthropic products) with non-Anthropic products and this is simply Anthropic enforcing their ToS.
Good point. When it comes to npm Trojans you’re probably more likely to find them in dumb and boring deps like Lpad.
That's table stakes. LLMs are not like traditional software for fundamental reasons, and cannot be fully secured without destroying all value they provide.
Once again, despite everyone's protestations about not anthropomorphising things, LLMs are, to first approximation, best seen as little people on a chip. So with that in mind, it should be obvious why enterprise would prefer dealing with Anthropic's official products than OpenClaw - it's similar to contracting a team of software engineers from another well-known corporation and giving them keys to the castle, vs. inviting in any randos that show up at the door on any given day and can pass FizzBuzz test. Even if, in both cases, these turned out to be the same people, having an organizational/legal-level relationship changes the expectations and trust levels involved.